INTERVIEW: Gerald L. Epstein, the White House's tech buff

Gerald L. Epstein is assistant director for national security at the White House Office of Science and Technology Policy.

Epstein has been at the White House since 1995.

Much of the work of government is done by the agencies, and 'they don't need a lot of micromanagement. So we try to focus on those areas where we can make a particular contribution,' he said.

OSTP has been working on initiatives supporting Presidential Decision Directive 63, which requires that agencies cooperate on efforts to protect the nation's web of systems.

From 1983 to 1989 and again from 1991 until it closed in 1995, Epstein worked at the Congressional Office of Technology Assessment, most recently as senior associate.

From 1989 through 1991, he led a study at Harvard University's John F. Kennedy School of Government of the relationship between civil and military technologies. He is co-author of Beyond Spinoff: Military and Commercial Technologies in a Changing World.

Epstein received his bachelor of science degree in physics and electrical engineering from the Massachusetts Institute of Technology and his doctorate from the University of California at Berkeley.

GCN staff writer Christopher J. Dorobek spoke with Epstein at his office in the Old Executive Office Building in Washington.

GCN:' Talk a bit about security and critical infrastructure protection and specifically what initiatives the Office of Science and Technology Policy has in those areas.

EPSTEIN: When the president issued Presidential Decision Directive 63, it set out a number of missions and objectives. It really sets protection of the national infrastructure as a federal objective.

All along, agencies have had responsibility for being able to maintain their own missions. But PDD-63 takes a broader view and says, 'Here are a number of infrastructures that are vital to the functioning of our economy, our national security and our way of life.'

In a number of areas, PPD-63 assigns federal agencies to work with key private-sector groups so we can look at security systems as a whole.

GCN:'There is also a big budget increase proposed for security R&D. Why is this important?

EPSTEIN: There is a 31 percent increase in the fiscal 2001 request for R&D. That is a recognition that new technology is an important part of our response to improving federal infrastructures.

When one looks at the calendar that PDD-63 sets out, we need to have at least some initial operating capability in the year 2000, and for those capabilities, it is pretty much come as you are. Obviously, what we're going to be able to deploy this year are those systems that are already available for that.

But PDD-63 also calls for a more robust capability by 2003, and for that R&D will be quite important. Looking ahead, this is not a problem that is going to go away. It's not a problem we're going to solve once and for all. It's a matter of continuing to monitor vulnerabilities, looking for new ones, looking at new technologies and continuing to make sure we are able to address this problem.

GCN:'What are some of the projects that would get funded with that money?

EPSTEIN: There are a couple of pieces. The president has requested $50 million to create an Institute for Information Infrastructure Protection. There is also some additional money for agencies to follow up on priorities set by an interagency R&D group that looks at infrastructure protection R&D needs.

GCN:'Why is R&D important to information technology security?

EPSTEIN: PDD-63 in some way sets out a new federal mission. It's not just that the we have to secure our own systems, but we have some responsibility for making sure that the basic technology supporting the private infrastructure is there. That is something that may not have been built into federal budgets in previous years.

There is an acknowledgement that for many federal programs we are able to mobilize real expertise to do them, but then there is a real question about who is going to implement the solutions.

If it is a federally operated system, we have the people to operate that and we can make sure the fix gets done. If we're identifying technologies that somebody else is working on, we need to have the process where we have agreement from the public sector that this is something they need and that this is something they are willing to do. That is a new mode of operations.

We have all realized it is not sufficient to do just do chuck wagon technology'where you just ring the bell and have people come and get it. You have to work at an earlier point with the people who are in a position to actually apply it. That argues for a new type of structure.

GCN:'How will you ensure that you don't repeat research that is being done either in the private sector or already somewhere within the government, say at the Defense Department?

EPSTEIN: The institute in particular is looking at research that is not being done elsewhere.

We realize that the private sector'which owns, operates and uses the vast majority of the nation's systems infrastructure'is conducting R&D. And the federal government has long done research to ensure its ability to use information systems and operate effectively.

But the President's Committee of Advisers on Science and Technology noted that there is a considerable need for research that is not being met now and is not likely to be met by existing methods.

There is a lot of technology development that is needed for those private-sector infrastructures that will not be driven by market forces. It is either too long-term or it's too high-risk or it's a particular technology that will benefit everybody and nobody wants to sink the dollars into doing it.

So the president's committee said there are gaps that will not be addressed by the private sector. Even in the government's mission, there are issues that are not addressed in terms of their ability to operate.

The term gap has been analyzed. It has been suggested that there is some kind of canyon, and all we need to do is fill that gap and it will be better. But really there are, in some sense, uncharted seas that are not being addressed.

We need to develop a basic understanding of large, highly complex, highly nonlinear systems. Can they be designed to degrade gracefully? Do we understand how they operate? How they operate under stress?

GCN:'The general consensus is that a lot of the national security research is focused on products that will not necessarily reach the market.

EPSTEIN: It's not only that there are needs the private sector is not likely to meet but that it is R&D that has to be implemented by the owners of these infrastructures.

The president has always said that this is not a mission the federal government can do by itself, but this is a mission the federal government can contribute to.

The idea behind the institute is that there is research that needs to be done to protect our systems as a whole that won't otherwise get done.

We also understand that the expertise to do this research is largely going to be in the private sector. It may well be in government laboratories. We don't think the government cannot do this. But we also realize that we don't have the entire solution.'So when this institute is up and running, it needs to be able to reach out and get that work done by whomever is best able to do it.

GCN:'There are also time considerations, aren't there?

EPSTEIN: The third recommendation from the president's committee is perhaps the most important. With technology developing so quickly, they wanted to make sure a mechanism was set up that could address problems on a comparable timetable.

We didn't want to have to identify a problem and then, two or three budget cycles later, mobilize a program.

GCN:'One of the issues with infrastructure protection is building cooperation between the public and private sectors and creating an environment where everyone can share information. How will you find out what research is being done in the private sector?

EPSTEIN: There may be some reluctance by the private sector to tell us everything they're doing. One way we can respond is to tell them what we are doing. Then they can structure their own resources to complement what we are doing.

But I don't think that is sufficient. I think one of the main objectives of the institute is to be able to find research areas in ways that can show industry where they can benefit from investing their resources along with government. So part of this is working with companies to structure the new research tasks in ways we can both contribute to the effort.